NAS  A/CR-2000-2 10086 
ICASE  Report  No.  2000-12 


A  Compositional  Approach  to  Statecharts  Semantics 


Gerald  Luttgen 
ICASE,  Hampton,  Virginia 

Michael  von  der  Beech 

Munich  University  of  Technology,  Miichen,  Germany 
Ranee  Cleaveland 

State  University  of  New  York  at  Stony  Brook,  Stony  Brook,  New  York 

Institute  for  Computer  Applications  in  Science  and  Engineering 
NASA  Langley  Research  Center 
Hampton,  VA 

Operated  by  Universities  Space  Research  Association 


National  Aeronautics  and 
Space  Administration 

Langley  Research  Center  Prepared  for  Langley  Research  Center 

Hampton.  Virginia  23681-2199  under  Contract  NAS1-97046 


March  2000 

distribution  statement  a 

Approved  for  Public  Release 
Distribution  Unlimited 

One  quality  inspected  i 


20000406  1)2 


A  COMPOSITIONAL  APPROACH  TO  STATECHARTS  SEMANTICS 


GERALD  LUTTGENt,  MICHAEL  VON  DER  BEECK*,  AND  RANCE  CLEAVELAND§ 

Abstract.  Statecharts  is  a  visual  language  for  specifying  reactive  system  behavior.  The  formalism 
extends  traditional  finite-state  machines  with  notions  of  hierarchy  and  concurrency,  and  it  is  used  in  many 
popular  software  design  notations.  A  large  part  of  the  appeal  of  Statecharts  derives  from  its  basis  in  state 
machines,  with  their  intuitive  operational  interpretation.  The  traditional  semantics  of  Statecharts,  however, 
suffers  from  a  serious  defect:  it  is  not  compositional,  meaning  that  the  behavior  of  system  descriptions 
cannot  be  inferred  from  the  behavior  of  their  subsystems.  Compositionality  is  a  prerequisite  for  exploiting 
the  modular  structure  of  Statecharts  for  simulation,  verification,  and  code  generation,  and  it  also  provides 
the  necessary  foundation  for  reusability. 

This  paper  suggests  a  new  compositional  approach  to  formalizing  Statecharts  semantics  as  flattened 
transition  systems  in  which  transitions  represent  system  steps.  The  approach  builds  on  ideas  developed 
for  timed  process  calculi  and  employs  structural  operational  rules  to  define  the  transitions  of  a  Statecharts 
expression  in  terms  of  the  transitions  of  its  subexpressions.  It  is  first  investigated  for  a  simple  dialect  of 
Statecharts,  with  respect  to  a  variant  of  Pnueli  and  Shalev’s  semantics,  and  is  illustrated  by  means  of  a  small 
example.  To  demonstrate  its  flexibility,  the  proposed  approach  is  then  extended  to  deal  with  practically  useful 
features  available  in  many  Statecharts  variants,  namely  state  references,  history  states,  and  priority  concepts 
along  state  hierarchies. 

Key  words,  compositionality,  operational  semantics,  Statecharts 

Subject  classification.  Computer  Science 

1.  Introduction.  Statecharts  [6]  is  a  visual  language  for  specifying  reactive,  embedded,  and  real-time 
systems.  The  formalism  extends  finite-state  machines  with  concepts  of  hierarchy,  concurrency,  and  priority; 
the  success  of  Statecharts  in  the  Software  Engineering  community  is  founded  on  its  intuitive  semantics  and 
its  capacity  for  modeling  the  complex  control  aspects  inherent  in  many  software  systems.  Different  dialects 
of  the  language  [30]  have  been  employed  in  several  software  design  notations  —  including  ROOM  [25], 
STATEMATE  [9],  and  UML  [3]  —  and  commercial  tools  provide  support  for  them.  Nevertheless,  precisely 
defining  Statecharts’  semantics  has  proved  extremely  challenging,  with  a  variety  of  proposals  being  offered 
in  the  literature  [5,  7,  8,  12,  13,  14,  16,  17,  19,  21,  23,  24,  27]. 
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Existing  Statecharts  variants  typically  conform  to  the  following  interpretation  of  system  behavior.  A 
Statechart  may  respond  to  an  event  entering  the  system  by  engaging  in  an  enabled  transition,  thus  perform¬ 
ing  a  micro  step.  This  transition  may  generate  new  events  which,  by  causality,  may  in  turn  trigger  additional 
transitions  while  disabling  others.  The  synchrony  hypothesis  ensures  that  one  execution  step,  a  so-called 
macro  step,  is  complete  as  soon  as  this  chain  reaction  comes  to  a  halt.  There  is,  however,  an  additional 
desirable  ingredient  that  a  practical  Statecharts  semantics  should  have:  compositionality.  Compositionality 
ensures  that  the  semantics  of  a  Statechart  can  be  determined  from  the  semantics  of  its  components.  This  is 
of  particular  importance  when  simulating  Statecharts  or  generating  code,  as  one  does  not  want  to  waste  re¬ 
sources  re-compiling  a  large  Statechart  if  only  a  few  of  its  components  are  changed.  Compositionality  is  also 
useful  when  formally  analyzing  or  verifying  Statecharts.  Unfortunately,  all  practically-relevant  approaches 
to  Statecharts  semantics  ignore  compositionality,  except  for  an  approach  presented  for  synchronous  STATE- 
MATE  [5]  whose  semantics  does  not  obey  the  synchrony  hypothesis.  Indeed,  theoretical  studies  conducted 
by  Huizing  and  Gerth  [11]  showed  that  one  cannot  combine  the  features  of  causality,  synchrony  hypothesis, 
and  compositionality  within  a  step  semantics  which  labels  transitions  by  sets  of  “input /output”  events.  In 
fact,  the  classical  semantics  of  Statecharts  —  as  defined  by  Pnueli  and  Shalev  [23]  —  satisfies  the  synchrony 
hypothesis  and  causality,  but  is  not  compositional. 

The  aim  of  this  paper  is  to  present  a  new  approach  to  defining  Statecharts  semantics  which  combines 
all  three  abovementioned  features  in  a  formal,  yet  operationally  intuitive,  fashion.  Our  semantic  account 
borrows  ideas  from  timed  process  calculi  [10],  which  also  employ  the  synchrony  hypothesis  [2]  and  which 
allow  one  to  represent  ordinary  system  behavior  and  clock  ticks  using  labeled  transition  systems.  These 
transition  systems  are  defined  via  structural  operational  rules  [22]  —  i.e.,  rules  in  SOS  format  —  along  the 
state  hierarchy  of  the  Statechart  under  consideration.  Our  semantics  explicitly  represents  macro  steps  as 
sequences  of  micro  steps  which  begin  and  end  with  the  ticking  of  a  global  clock.  Thereby,  compositionality  is 
achieved  on  the  explicit  micro- step  level  and  causality  and  synchrony  on  the  implicit  macro-step  level.  The 
current  work  builds  on  previous  research  by  the  authors  [15],  which  developed  a  compositional  timed  process 
algebra  that  was  then  used  to  embed  a  simple  variant  of  Statecharts  introduced  in  [16].  That  work  indirectly 
yielded  a  compositional  operational  semantics  for  Statecharts.  In  this  paper,  we  re-develop  the  semantics 
of  [15]  without  reference  to  a  process  algebra,  thereby  eliminating  the  rather  complicated  indirection.  Our 
intention  is  to  make  the  underlying  semantic  issues  and  design  decisions  for  Statecharts  more  apparent  and 
comprehensible.  The  paper  also  argues  for  the  flexibility  and  elegance  of  our  approach  by  extending  our 
semantics  to  cope  with  popular  Statecharts  features  used  in  practice,  such  as  state  references,  history  states, 
and  priority  concepts. 

Organization.  The  next  section  gives  a  brief  overview  of  Statecharts,  including  our  notation  and  its 
classical  semantics.  Sec.  3  presents  our  new  compositional  approach  to  Statecharts  semantics.  It  also 
establishes  a  coincidence  result  with  respect  to  the  traditional  step  semantics  and  illustrates  the  approach  by 
means  of  an  example.  Sec.  4  shows  how  our  framework  can  be  extended  to  include  various  features  employed 
in  many  Statecharts  dialects.  Finally,  Sec.  5  discusses  related  work,  while  Sec.  6  contains  our  conclusions 
and  directions  for  future  research. 

2.  A  Brief  Overview  of  Statecharts.  Statecharts  is  a  specification  language  for  reactive  systems, 
i.e.,  systems  characterized  by  their  ongoing  interaction  with  their  environment.  The  notation  enriches  basic 
finite-state  machines  with  concepts  of  hierarchy,  concurrency,  and  priority.  In  particular,  one  Statechart 
may  be  embedded  within  the  state  of  another  Statechart,  and  one  Statechart  may  be  composed  of  several 
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simultaneously  active  sub-Statecharts  which  communicate  via  broadcasting  events.  Transitions  are  labeled 
by  pairs  of  event  sets,  where  the  first  component  is  referred  to  as  trigger  and  may  include  negated  events, 
and  the  second  is  referred  to  as  action.  Intuitively,  if  the  environment  offers  all  the  positive  but  none  of  the 
negated  events  of  the  trigger,  then  the  transition  is  enabled  and  can  be  executed,  thereby  generating  the 
events  in  the  label’s  action. 

As  a  simple  (academic)  example,  consider  the  Statechart  de¬ 
picted  to  the  right.  It  consists  of  an  and-state,  labeled  by  n\, 
which  denotes  the  parallel  composition  of  the  two  Statecharts 
labeled  by  n 2  and  n3,  both  of  which  are  or-states  describing  a 
sequential  state  machine.  Or-state  n2  is  further  refined  by  or- 
state  rii  and  basic  state  715,  which  are  connected  via  transition  t\ 
labeled  by  b.  The  label  specifies  that  t\  is  triggered  by  the  occur¬ 
rence  of  event  f>;  its  execution  does  not  generate  any  new  event 
as  its  action  is  empty.  Or-state  n4  contains  the  basic  states  ns 
and  uq  ,  connected  by  transition  t3  with  trigger  a  A  ->&  and  empty 
action;  hence,  f3  is  enabled  if  event  a  but  not  event  b  occurs.  Or-state  n3  consists  of  two  basic  states  n$ 
and  n-j  connected  via  transition  t2  with  label  a/b,  so  that  upon  occurrence  of  trigger  event  a,  transition  t2 
can  be  executed  and  generate  event  b. 

In  this  paper,  we  first  consider  a  simple  dialect  of  Statecharts  that  supports  a  basic  subset  of  the  popular 
features  present  in  many  Statecharts  variants.  In  particular,  it  considers  hierarchy  and  concurrency.  However, 
it  ignores  interlevel  transitions  (i.e.,  transitions  crossing  borderlines  of  states),  state  references  (i.e.,  triggers 
of  the  form  in(n),  where  n  is  the  name  of  a  state),  and  history  states  (remembering  the  last  active  sub-state 
of  an  or-state).  In  addition,  state  hierarchy  does  not  impose  implicit  priorities  to  transitions  in  a  way  that 
either  transitions  on  higher  levels  of  the  hierarchy  have  precedence  over  lower  level  ones  or  the  other  way 
around.  To  illustrate  the  flexibility  of  our  approach,  we  show  in  Sec.  4  how  it  can  be  extended  to  deal  with 
state  references,  history  states,  and  the  abovementioned  priority  concepts.  Interlevel  transitions,  however, 
cannot  be  brought  in  accordance  with  a  compositional  semantics,  as  they  represent  an  unstructured  “goto” 
behavior  (cf.  Sec.  5). 

2.1.  Term-based  Syntax.  For  our  purposes  it  is  convenient  to  represent  Statecharts  not  visually  but 
by  terms,  as  is  done  in  [15,  16].  Formally,  let  Af  be  a  countable  set  of  names  for  Statecharts  states,  T  be 
a  countable  set  of  names  for  Statecharts  transitions,  and  II  be  a  countable  set  of  Statecharts  events.  For 
technical  convenience  we  assume  that  AT  and  T  are  disjoint.  With  every  event  e  G  n  we  associate  a  negated 
counterpart  -ie  and  define  ->->e  =df  e  as  well  as  ->E  =<jf  {— >e  |  e  G  E}  for  E  C  II U  {->e  |  e  G  n}.  The  set  SC  of 
Statecharts  terms  is  then  defined  by  the  following  inductive  rules. 

1.  Basic  state:  If  n  G  Af,  then  s  =  [n]  is  a  Statecharts  term. 

2.  Or-state:  Suppose  that  n  G  Af  and  that  si,...  , Sf,  are  Statecharts  terms  for  k  >  0,  with  s  =cif 
(si,...  ,Sfc).  Also  let  p  =df  {1, . . .  ,k}  and  l  G  p,  with  T  C  T  x  p  x  2nu"n  x  2n  x  p.  Then 
s  =  [n  :  s;l',T]  is  a  Statecharts  term.  Here  Si,...  ,Sk  are  the  sub-states  of  s,  set  T  contains  the 
transitions  connecting  these  states,  Si  is  the  default  state  of  .s,  and  ,57  is  the  currently  active  sub-state 
of  s. 

3.  And-state:  If  n  G  Af,  if  Si, . . .  ,  Sk  are  Statecharts  terms  for  k  >  0,  and  if  s  =df  (-Si, . . .  ,Sk),  then 
s  =  [n:s]  is  a  Statecharts  term,  where  si,...  ,Sk  are  the  (parallel)  sub-states  of  s. 


Fig.  2.1.  Example  Statechart 
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Transitions  of  or-states  [n:  (si, . . .  ,  sj,);  Z;  T ]  are  of  the  form  t  =df  { t,i ,  E,  A,j ),  where  (i)  t  is  the  name  of  t, 
(ii)  source(f)  =df  Sj  is  the  source  state  of  f,  (iii)  trg(i)  =df  E  is  the  trigger  of  f,  (iv)  act(t)  =df  A  is  the 
action  of  t,  and  (v)  target(f)  =df  sj  is  the  target  state  of  t.  In  the  sequel,  we  let  trg+(t)  stand  for  trg(t)  fl  II 
and  trg-(f)  for  trg(t)  fl  -ill.  For  technical  convenience,  we  assume  that  all  state  names  and  transition  names 
are  mutually  disjoint.  Hence,  we  may  uniquely  refer  to  states  and  transitions  by  using  their  names,  e.g.,  we 
may  write  t  for  t.  We  also  assume  that  no  transition  produces  an  event  which  appears  negated  in  its  trigger. 
The  Statecharts  term  corresponding  to  the  Statechart  depicted  in  Fig.  2.1  is  term  si,  which  is  defined  as 
follows.1 

si  =df  [ni  :(s2,s3)]  s2  =df  [n2  ■  (s4, s5);  1;  {(ti,  1,  {6}, 0, 2)}]  s7  =df  [n7] 

S3  =df  [n3:(s6,S7);l;{(i2,l,{a},{&},2)}]  s5  =df  [n5]  s8  =df  [n8] 

Se=dfK]  s4  =df  [n4:(s8,s9);l;{(t3,l,{a,-i&},0,2)}]  s9  =df  [n9] 


2.2.  Classical  Semantics.  In  this  section,  we  sketch  the  semantics  of  Statecharts  terms  adopted  in  [16], 
which  is  a  slight  variant  of  the  “classical”  Statecharts  semantics  as  proposed  by  Pnueli  and  Shalev  [23].  We 
refer  the  reader  to  [16]  for  a  more  detailed  discussion  of  the  underlying  semantic  issues. 

As  mentioned  before,  a  Statechart  s  reacts  to  the  arrival  of  some  external  events  by  triggering  enabled 
micro  steps  in  a  chain-reaction  manner.  When  this  chain  reaction  comes  to  a  halt,  a  complete  macro  step  has 
been  performed.  More  precisely,  a  macro  step  comprises  a  maximal  set  of  micro  steps,  or  transitions,  that 
(i)  are  relevant,  (ii)  are  mutually  consistent,  (iii)  are  triggered  by  events  £cn  offered  by  the  environment 
or  generated  by  other  micro  steps,  (iv)  are  mutually  compatible,  and  (v)  obey  the  principle  of  causality. 
These  notions  may  be  defined  as  follows.  Let  s  G  SC,  let  t  be  a  transition  in  s,  let  T  be  a  set  of  transitions 
in  s,  and  let  E  C  n.  Transition  t  is  relevant  for  Statecharts  term  s,  in  signs  t  G  relevant(s),  if  the  source 
state  of  t  is  currently  active.  Transition  t  is  consistent  with  all  transitions  in  T,  in  signs  t  G  consistent(s,  T), 
if  t  is  not  in  the  same  parallel  component  as  any  transition  in  T.  Tr  ansition  t  is  triggered  by  event  set  E, 
in  signs  t  G  triggered(.s,  E),  if  the  positive  but  not  the  negative  trigger  events  of  t  are  in  E.  Transition  t  is 
compatible  with  all  transitions  in  T,  in  signs  t  G  compatible(s,  T),  if  no  event  produced  by  t  appears  negated 
in  a  trigger  of  a  transition  in  T .  Finally,  we  say  that  transition  t  is  enabled  in  s  with  respect  to  event 
set  E  and  transition  set  T,  if  t  G  enabled(s,  E,T),  where  enabled(s,Fl,T)  =df  relevant(s)  n  consistent(s,  T)  fl 
triggered(s,  E  U  UjgT  act(i))  LI  compatible^,  T). 

A  macro  step  in  a  Statechart  is  a  subset  of  enabled  that  is  causally 
well-founded.  Technically,  causality  holds  when  there  exists  an  ordering 
among  the  transitions  in  a  macro  step  such  that  no  transition  t  of  in  the 
macro  step  depends  on  events  generated  by  transitions  occurring  after  t. 

In  [16] ,  an  operational  approach  for  causally  justifying  the  triggering  of  each 
transition  of  a  macro  step  is  given.  It  employs  the  nondeterministic  step- 
construction  function  presented  in  Fig.  2.2,  which  is  adapted  from  Pnueli 
and  Shalev  [23].  Given  a  Statecharts  term  s  and  a  set  E  of  events,  the 
step-construction  function  nondeterministically  computes  a  set  T*  of  transitions.  In  this  case,  Statecharts 

JE 

term  s  may  evolve  in  the  single  macro  step  s  =♦  s'  to  Statecharts  term  s' ,  thereby  executing  the  transitions 
in  T*  and  producing  the  events  A  =df  Uter*  actW-  Term  s'  can  be  derived  from  s  by  updating  the  index  l 

'Note  that  the  second  and  fifth  component  of  a  transition  ( t,i,E,A,j )  in  some  or-state  s  =  [n:s;Z;T]  refer  to  the  indexes 
of  the  source  and  target  state  in  the  sequence  s  =  (si , . . .  ,  s*,),  respectively,  and  not  to  the  states’  names. 


Fig.  2.2.  Step  construction 
function  step-construction(s,  £); 
var  T  :=  0; 

while  T  C  enabled(s,  E,  T)  do 
choose  t  €  enabled(s,U,T)  \T; 
T  :=  T  U  {t} 
od; 

return  T 
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in  every  or-state  [n  :  (sj, . . .  ,Sk);l;T]  of  s  satisfying  t  S  T*  for  some  t  €  T.  Observe  that  once  one  has 
constructed  a  macro  step,  all  information  about  how  the  macro  step  was  derived  at  is  discarded.  This  is  the 
source  for  the  compositionality  defect  of  this  semantics  for  Statecharts;  when  two  Statecharts  are  composed 
in  parallel,  the  combination. of  the  causality  orderings  may  introduce  newly  enabled  transitions. 

Let  us  illustrate  a  couple  of  macro  steps  of  the  example  Statechart  depicted  in  Fig.  2.1.  For  convenience, 
we  abbreviate  a  Statecharts  term  by  its  active  basic  states,  e.g.,  term  si  is  abbreviated  by  (n8,  ng).  Moreover, 
we  let  II  =df  {a,  &}  and  assume  that  the  environment  only  offers  event  a.  Then,  both  transitions  t-2  and  t3 
are  enabled,  and  the  execution  of  £3  results  in  macro  step  (n8, n6)  =^*-  ( ng,ng ),  i.e.,  a  macro  step  in  which 
only  a  single  transition  takes  part.  Although  £2  is  also  enabled,  it  cannot  be  executed  together  with  (3  in  the 
same  macro  step.  The  reason  is  that  this  would  violate  global  consistency,  since  t2  generates  event  b  whose 
negated  counterpart  is  contained  in  the  trigger  of  t3.  However,  transitions  i2  and  t3  can  take  part  in  the 
same  macro  step,  as  t\  is  located  in  a  different  parallel  component  than  and  is  triggered  by  event  b  which 
is  generated  by  1 2.  This  leads  to  macro  step  (n8,  ng)  =*■  (715,7x7).  All  potential  macro  steps  of  our  example 
Statechart  can  be  found  in  Fig.  3.2,  right-hand  side. 

3.  A  Compositional  Statecharts  Semantics.  In  this  section,  we  present  our  approach  to  defining 
a  compositional  semantics  for  Statecharts,  which  is  based  on  flat  labeled  transition  systems.  In  contrast 
to  related  work,  we  do  not  develop  a  semantics  on  the  macro-step  level  but  on  the  micro-step  level  and 
represent  macro  steps  as  sequences  of  micro  steps.  Within  such  a  setting,  compositionality  is  easy  to  achieve. 
The  challenge  is  to  identify  the  states  at  which  macro  steps  start  and  end  so  that  Statecharts’  traditional, 
non-compositional  macro-step  semantics  can  be  recovered.  Our  solution  is  based  on  the  observation  that 
since  Statecharts  is  a  synchronous  language,  ideas  from  timed  process  calculi  may  be  adapted.  In  particular 
we  use  explicit  global  clock  ticks  to  denote  the  boundaries  of  macro  steps. 

Our  flat  labeled  transition  systems  therefore 
possess  two  kinds  of  transitions:  those  represent¬ 
ing  the  execution  of  a  Statecharts  transition  and 
those  representing  global  clock  ticks.  In  timed 
process  calculi  such  transitions  are  referred  to  as 
action  transitions  and  clock  transitions ,  respec¬ 
tively.  The  ideas  behind  our  semantics  are  illus¬ 
trated  in  Fig.  3.1,  where  clock  transitions  are  la¬ 
beled  by  a.  The  other  transitions  are  action  tran¬ 
sitions  and  actually  carry  pairs  ( E',N ')  of  event 
sets  as  labels.  An  action  transition  stands  for 
a  single  Statechart  transition  which  is  enabled  if 
the  system  environment  offers  all  events  in  E'  but 
none  in  N'.  The  states  of  our  transition  systems 
are  annotated  with  (extended)  Statecharts  terms  from  which  one  may  infer  the  events  generated  at  any  point 
of  execution  of  the  considered  Statechart.  Accordingly,  the  classical  macro-step  semantics  of  Statecharts  can 
be  recovered  from  our  semantics  as  follows:  Assume  that  the  global  clock  ticks,  symbolizing  the  beginning  of 
a  macro  step,  when  the  system  environment  offers  the  events  in  E.  Starting  from  a  clock  transition,  follow 
an  arbitrary  path  of  action  transitions  that  are  triggered  by  E,  i.e.,  whose  labels  ( E',N ')  satisfy  E'  C  E 
and  N'  n  E  =  0.  When  another  clock  transition  is  executed,  the  constructed  macro  step  is  complete.  The 


clock  tick  chain  reaction 

(sequences  of  micro  steps) 


/  state  ‘annotated’  w/  events 

generated  by  macro  step 

synchrony  hypothesis 


|- -  macro  step  - 

Fig.  3.1.  Illustration  of  our  operational  semantics 
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states  traversed  in  the  path  collect  the  events  introduced  by  the  fired  Statecharts  transitions  along  the  path. 
Hence,  from  the  source  state  of  the  concluding  clock  transition  one  may  extract  all  events  generated  in  the 
considered  macro  step.  Note  that,  according  to  the  synchrony  hypothesis,  clock  transitions  are  prohibited 
unless  no  additional  action  transition  can  be  executed  relative  to  environment  E.  In  a  nutshell,  our  semantics 
is  defined  in  a  way  that  achieves  compositionality  on  the  explicit  micro-step  level,  while  causality  and  the 
synchrony  hypothesis  are  observed  on  the  implicit  macro-step  level. 

Table  3.1 

Functions  out  and  default 

out([n])  =df  0  out([n:  s;  l;  X])  =dfOut(si)  out([n:  s;  t;  T])  =df  act(t)  U  trg~  (t) 

out([n::s;/;T])  =df  out(s/)  out([n:  (si, . . .  ,  sk)  ])  =df  (J?=i  °ut(sj) 

default([n])  =g  [n] _ default([w :  s\  Z; T])  =df  [w : ^>[i^t<lrfjul.(j,)1;  1;  T] _ default([n:  s]) _ =df  [n:default(s)] 


3.1.  Formalization.  To  formalize  our  abovementioned  intuitions,  we  first  need  to  extend  the  definition 
of  Statecharts  terms  such  that  “Statecharts  snap-shots,”  taken  after  partial  executions  of  macro  steps,  can 
be  represented.  Formally,  we  add  the  following  rule  to  the  inductive  definition  of  Statecharts  terms  presented 
in  Sec.  2:  If  [n:s;Z;T]  is  a  Statecharts  term,  then  [n:s;t;T],  for  t  6  T,  and  [n::s;Z;T]  are  Statecharts  terms. 
Intuitively,  term  [n:s;t;T]  represents  an  or-state  after  firing  some  ‘top-level’  transition  t  £  T.  On  the  other 
hand,  term  [n::s;Z;T]  represents  an  or-state  after  firing  some  ‘inner’  transition,  i.e.,  atransition  originating 
in  the  active  sub-state  Si.  The  extended  set  of  Statecharts  terms  is  denoted  by  //SC,  and  its  elements  are 
sometimes  referred  to  as  micro  terms.  Our  formalization  of  Statecharts  semantics  also  requires  us  to  be 
able  to  extract  all  events  out(.s)  from  a  micro  term  s,  which  are  generated  by  transitions  that  have  been 
fired  during  the  considered  partial  macro  step.  Additionally,  out(s)  includes  all  negated  trigger  events  of 
the  executed  transitions,  which  is  necessary  to  ensure  the  Statecharts  property  of  global  consistency,  as  will 
become  clear  shortly.  The  predicate  out(s)  C  II U  -'ll  can  be  defined  inductively  along  the  structure  of  s,  and 
its  definition  is  displayed  in  Table  3.1.  Finally,  we  need  one  more  auxiliary  function,  default(s)  which,  given 
a  Statecharts  term  s  6  SC,  resets  all  the  active  states  of  its  or-states  to  their  respective  initial  states.  Also 
this  function  can  be  defined  on  the  structure  of  s  as  is  done  in  Table  3.1.  For  convenience,  we  write  default(s) 
for  default((sj, . . .  ,sk))  =df  (default^), . . .  , defaults*))  and  define  =df  («i,  -  ■  •  ,si_i,s',ai+i, . . .  ,sk), 
for  all  1  <  l  <  k  and  s'  £  SC. 

Now  we  are  able  to  present  our  semantics  of  a  Statecharts  term  s  £  SC.  As  indicated  before,  the 
semantics  of  s  is  defined  as  a  labeled  transition  system,  such  that  (i)  the  states  are  terms  in  //SC,  (ii)  the 
start  state  is  s,  and  (iii)  the  two  transition  relations,  — ¥  C  //SC  x  2n  x  2nu_,n  x  //SC  and  C  //SC  x  //SC, 
are  defined  via  structural  operational  rules  [22].  Each  rule  is  of  the  form 

premise  ... 

name - ; -  side  condition 

conclusion 

and  should  be  read  as  follows:  Rule  {name)  is  applicable  if  both  the  statements  in  its  premise  and  its  side 
condition  hold;  in  this  case,  one  might  infer  the  conclusion. 

The  operational  rules  for  action  transitions  are  given  in  Table  3.2,  where  the  subscript  of  the  transition 
relation  should  be  ignored  for  now;  the  subscript  will  only  be  needed  in  Sec.  4.3.  For  convenience,  we  write 
s  —¥  s'  instead  of  (s,  E,  N,  s')  €  — K  Moreover,  we  let  s  stand  for  the  sequence  (si, . . .  ,  sk )  and  write  |s  | 
for  k.  Intuitively,  Rule  (OR1)  states  that  or-state  [n:s;Z;T]  can  evolve  to  [n:s;f;T]  if  transition  t  is  enabled, 
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Table  3.2 

Operational  rules:  action  transitions 


0R1 


v.s\l\  T } 


t't+m 


-itrg  (t)U-iact(t) 


[n:s;t;T] 


source(<)  =  s; 


OR2 


si 


[n :  s;  Z;  T]  — >y-a 


\l\T] 


AND 


31  <  l  <  |s|.  Sl  — sj 
_ ~  —  ■  '  N  « _ 

[ n:s ]  - ^ - hlr« 


An  jJoUt(Si)  : 
3& 


OR3 


[n::  s;  l\  T] 


i.e.,  if  (i)  the  source  state  of  t  is  the  currently  active  state  si,  (ii)  all  its  positive  trigger  events  trg+(f) 
are  offered  by  the  environment,  (iii)  the  positive  counterparts  of  all  its  negated  trigger  events  trg-  (t)  are 
not  offered  by  the  environment,  and  (iv)  the  negated  events  corresponding  to  act(t)  are  not  offered  by  the 
environment,  i.e.,  no  transition  within  the  same  macro  step  has  already  fired  due  to  the  absence  of  such  an 
event.  The  latter  is  necessary  for  implementing  global  consistency  in  our  semantics.  Rules  (OR2)  and  (OR3) 
deal  with  the  case  that  an  inner  transition  of  the  active  sub-state  s;  of  the  considered  or-state  is  executed. 
Hence,  sub-state  s;  needs  to  be  updated  accordingly.  The  resulting  micro  term  [n::s[i^/);Z;T]  also  reflects 
—  via  the  double  colons  —  that  a  transition  originating  within  the  or-state  has  been  executed,  in  which  case 
the  or-state  may  no  longer  engage  in  a  transition  in  T  during  the  same  macro  step,  i.e.,  before  executing  the 
next  clock  transition.  Finally,  Rule  (AND)  deals  with  and-states.  If  sub-state  s;  fires  a  transition  s;  — >  s',, 

N 

then  the  and-state  can  do  so  as  well,  provided  that  no  event  in  N  is  offered  by  some  other  sub-state  (cf. 
the  rule’s  side  condition).  Moreover,  for  triggering  the  transition  in  the  context  of  the  and-state  only  those 
events  e  €  E  need  to  be  offered  by  the  environment,  which  are  not  already  offered  by  some  other  ‘parallel’ 
sub-state  of  the  and-state,  i.e.,  for  which  e  e  E  \  IJJ7y  out(sj)  holds. 

Table  3.3 

Operational  rules:  clock  transitions 


cBAS 


cORl 


[n]  *  [n]  [n:a;t;T]  > 


target(t)  =  si  cOR3 


si  — >  s, 


[n::s;Z;T]  [n:  l\ T] 


cOR2 


[n:s;Z;T]  [n:s;i,T] 


[n:  1;  T]  /» 


,ATT^  VI  <  l  <  |s|.  si  s\  .  ‘ 

cAND = — - -  [n :  s  ] 


Clock  transitions  are  defined  by  the  rules  in  Table  3.3,  which  use  the  notation  s  -^4  s'  for  ( s,s ')  £ 

Intuitively,  a  clock  transition  models  the  completion  of  a  macro  step  by  updating  the  active  states  in  the 

considered  micro  term  according  to  the  transitions  that  have  been  executed  in  the  macro  step.  Due  to  the 

synchrony  hypothesis  of  Statecharts,  this  implies  in  particular  that  a  clock  transition  can  only  be  performed 

if  the  considered  Statechart  term  s  cannot  autonomously  engage  in  a  further  action  transition,  i.e.,  if  s  7^4 

0 

0 

holds,  which  stands  for  fis' .  s  — t  s'.  Note  that  both  event  sets  in  the  label  must  be  empty;  otherwise,  the 
action  transition  is  not  enabled  with  respect  to  all  potential  system  environments  and  our  semantics  would 
not  be  compositional.  In  this  vein,  Rule  (cBAS)  states  that  a  basic  state  can  always  accept  a  clock  tick 
as  it  does  not  possess  any  (enabled)  transitions.  Rule  (cORl)  reflects  the  update  of  micro  term  [n:s;t;T\ 
representing  an  or-state  after  transition  t  £  T  has  fired.  More  precisely,  the  sub-state  of  the  considered 
or-state  is  updated  to  the  target  state  s;  of  t,  where  all  active  states  of  s/  are  reset  to  their  initial  states.  In 
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case  that  no  transition  of  the  considered  or-state  has  been  executed  —  i.e.,  the  or-state  is  represented  by 

0 

micro  term  [n :  s;  Z;  T]  —  and  no  one  is  enabled  —  i.e.,  [n :  s;  Z;  T]  -f>  holds  — ,  a  clock  tick  can  be  accepted 

0 

and  does  not  result  in  any  change  of  state  (cf.  Rule  (cOR2)).  Rule  (cOR3)  formalizes  the  behavior  that  an 
or-state  can  engage  in  a  clock  transition  if  its  active  sub-state  can  engage  in  one.  Finally,  Rule  (cAND) 
states  that  an  and-state  can  engage  in  a  clock  transition  if  all  its  sub-states  can,  provided  that  there  is  no 
action  transition  whose  execution  cannot  be  prevented,  i.e.,  provided  that  holds. 

It  is  fairly  easy  to  see  that  our  new  semantics  is  compositional,  as  each  transition  of  a  Statecharts 
term  is  defined  by  referring  to  the  transitions  of  its  sub-terms  only.  One  exception  is  that  the  definition 
of  clock  transitions  depends  on  the  one  of  action  transitions.  However,  the  same  is  not  true  the  other  way 
around,  i.e.,  there  are  no  mutual  dependencies  in  our  operational  rules.  As  an  alternative  means  for  checking 
compositionality,  one  may  employ  meta-theoretic  results  about  the  compositionality  of  semantics  defined 
via  structural  operational  rules  (SOS  rules)  [29]. 


3.2.  Macro— step  Interpretation  and  Coincidence  Result.  The  above  rules  provide  a  composi¬ 
tional  semantics  of  Statecharts  on  the  micro-step  level.  However,  our  consideration  of  a  global  abstract 
clock  allows  us  to  retrieve  the  classical  macro-step  semantics  of  Statecharts,  as  mentioned  at  the  beginning 
of  Sec.  3. 

DEFINITION  3.1.  For  s,s'  e  SC  and  E,ACTlwe  write  s=^-s'  and  say  that  s  may  perform  a  macro 
step  with  input  E  and  output  A  to  s',  if3s\,...  ,sm  €  pSC,  3E\ , . . .  ,  Em  C  n,  3  Ni , . . .  ,  Nm  CHU  -H, 
for  some  me  N,  such  that  (1)  s  -^4  Si  Sm  JL+  s'  j  (£)  (J™  e,  C  E,  (3)  (J"L,  N{  n  E  =  0, 

Ni  N2  Nm 

(4)  =  out(Sj7i)  nil,  and  (5)  /3sm+i? Em+\, Nm+\.  sm  y  £7m_|_i  C  E ,  and  Nm. |_i  n  E  —  0. 

^7n  +  l 

While  Conds.  (2)  and  (3)  guarantee  that  all  considered  action  transitions  are  enabled  by  the  environment, 
Cond.  (5)  ensures  the  maximality  of  the  macro  step,  i.e.,  it  implements  the  synchrony  hypothesis.  Now,  we 
can  establish  the  desired  result,  namely  that  our  macro-step  semantics  coincides  with  the  classical  macro¬ 
step  semantics  of  Statecharts.  Hence,  our  semantics  is  not  ‘randomly’  defined. 

Theorem  3.2.  Let  s,s'  e  SC  and  E,A  cn.  Then  s  s'  if  and  only  if  s  ==>•  s' . 

Proof  sketch.  Consider  the  following  construction.  If  T  =  (tj, . . .  ,tm)  is  a  sequence  of  Statecharts 
transitions  of  s  €  SC  generated  by  the  step-construction  function  relative  to  environment  £  C  II  and 
satisfying  A  =  out (tj),  then  there  exists  a  sequence  of  m  action  transitions  as  described  in  Def.  3.1, 

such  that  the  Z-th  action  transition  corresponds  to  the  execution  of  f;  in  s.  Vice  versa,  assume  that  the 
conditions  of  Def.  3.1  are  satisfied  for  some  ECI1  and  that  T  =  (ti, . . .  ,  tm )  is  the  sequence  of  Statecharts 
transitions  which  can  be  identified  with  the  considered  sequence  of  action  transitions  starting  in  s.  Then, 
T  can  be  generated  by  the  step-construction  function  relative  to  s  and  E,  where  the  transitions  fire  in  the 
order  indicated  by  sequence  T.  □ 


3.3.  Example.  We  now  return  to  our  example  Statechart  of  Fig.  2.1.  Our  semantics  of  this  Statechart 
and  its  classical  macro-step  semantics  are  depicted  on  the  left  and  right  in  Fig.  3.2,  respectively.  In  both 

E 

diagrams,  we  represent  a  transition  of  the  form  s  — ►  s'  by  writing  E  to  the  left  of  or  above  the  arrow  and  N 
to  the  right  of  or  below  the  arrow.  We  also  abbreviate  a  set  of  events  by  listing  its  elements,  e.g.,  writing  a. b 
for  {a,  6},  and  denote  alternatives  for  E  at  the  same  arrow  by  separating  them  by  commas.  Finally,  we 
employ  our  notation  introduced  in  Sec.  2.2  and  additionally  write  t  for  the  micro  term  [n: .s;  i;  T], 
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Fig.  3.2.  Our  semantics  (left)  and  the  macro-step  semantics  (right)  for  the  Statechart  depicted  in  Fig.  2.1 

The  right  diagram  in  Fig.  3.2  includes  the  macro  steps  (ng,  r^)  =**■  (rig,  ng)  and  (n8,ne)  — ►  (715,717) 

which  we  already  considered  in  Sec.  2.2.  According  to  Thm.  3.2,  both  macro  steps  can  be  explained  in 

terms  of  sequences  of  micro  steps  displayed  on  the  left  in  Fig.  3.2,  which  start  with  state  (ns, Tie)  and 

end  with  the  execution  of  a  clock  transition.  The  first  macro  step  is  given  by  the  sequence  (ng, ng)  > 

{*>} 

{£3, tiq)  ■—*  (719,715),  where  out((f3,  n,6))  =  {—>6},  and  the  second  macro  step  is  encoded  by  the  sequence 

(n8,n6)  (ng,t2)  (*i, *2)  (n&,n7),  where  out((fx,f2))  =  {6}. 

{->6}  0 

4.  Extensions:  State  References,  History  States,  &  Priority  Concepts.  We  now  illustrate 
the  flexibility  of  our  approach  by  adapting  it  to  incorporate  features  offered  by  many  popular  Statecharts 
variants,  namely  state  references,  history  mechanisms,  and  priority  concepts  along  the  or-state  hierarchy. 


Table  4.1 

Modified  definition  of  out  needed  when  modeling  state  references 
out([n])  =df  {in(n)}  out([n:  s;  Z;  T})  =df  out(si)  U  {in(n)}  out([n::  s;  l;  T])  =rif  out(s;)  U  (in(n)} 

_ out([n:  (sx, . . .  ,8fc)])=dfUf=1out(si)U{in(w)}  out([n: s]t\T])  =df  act(t)  U  trg~ (t)  U  {in(w)> 


4.1.  State  References.  Many  Statecharts  variants  permit  trigger  events  of  the  form  in(n),  for  n  €  fif, 
which  are  satisfied  whenever  state  n  is  active.  In  our  setting,  we  may  encode  this  feature  via  the  employed 
communication  scheme.  To  do  so,  we  first  extend  the  set  II  of  events  by  the  distinguished  events  in(n),  for 
all  n  e  N.  Moreover,  the  sets  out(s),  for  s  €  pSC,  need  to  be  re-defined  —  as  shown  in  Table  4.1  —  such 
that  they  include  the  events  in(n),  for  any  active  state  n  in  s.  It  is  easy  to  see  that  the  resulting  semantics 
handles  state  references  as  expected. 

4.2.  History  States.  Upon  entering  or-states,  their  initial  states  are  activated.  However,  in  practice 
it  is  often  convenient  to  have  the  option  to  return  to  the  sub-state  which  was  active  when  last  exiting  an 
or-state,  e.g.,  after  completing  an  interrupt  routine.  In  Statecharts’  visual  syntax  this  is  done  by  permitting 
distinguished  history  states  in  or-states  to  which  transitions  from  the  outside  of  the  considered  or-states  may 
point.  Such  history  states  can  have  two  flavors:  deep  and  shallow.  Deep  means  that  the  ‘old’  active  state  of 
the  or-state  and  the  ‘old’  active  states  of  all  its  sub-states  are  restored.  Shallow  means  that  only  the  active 
state  of  the  or-state  is  restored  and  that  its  sub-states  are  reinitialized  as  usual.  In  our  term-based  setting, 
we  may  model  history  states  and  transitions  traversing  to  history  states  as  follows.  For  each  transition  t 
pointing  to  some  or-state  s,  we  additionally  record  a  history  flag  p  €  {none,  deep,  shallow} .  If  p  =  none, 
then  transition  t  is  interpreted  as  usual,  otherwise  it  is  interpreted  to  point  to  the  deep  —  if  p  =  deep  —  or 
shallow  —  if  p  =  shallow  —  history  state  in  s. 
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In  the  light  of  this  formalization,  it  is  easy  to  integrate  a  history  mechanism  in  our  operational  seman¬ 
tics.  One  just  has  to  replace  function  default(sj)  in  Rule  (cORl)  by  function  default(p,  Sj),  where  p  £ 
{none,  deep ,  shallow}  is  the  history  flag  of  the  considered  transition  t.  The  terms  default(none,  s)  and 
default  (deep,  s)  are  simply  defined  by  default(s)  and  s,  respectively.  The  definition  of  default(sha//ow,  ,s) 
can  be  done  along  the  structure  of  Statecharts  terms  as  follows. 

(i)  default  (shallow,  [n])  =df  [n] 

(ii)  default(s/?a//oiv,  [n:s;l;T])  =df  [n:s(,„drfsul,(>l)];/;T] 

(iii)  default(s/?a//ow,  [n:s])  =df  [n:defau\t(shallow,  s)] 

Here,  default(s/ja//ow,  s),  where  s  =  (sj,...  ,  S&),  stands  for  (default(s/?a//ow,  si), . . .  ,  default  (shallow,  s/.)). 
Note  that  default(p,  s)  needs  only  be  defined  for  Statecharts  terms  and  not  for  the  more  general  micro  terms. 

4.3.  Priority  Concepts.  Many  Statecharts  dialects  consider  an  implicit  priority  mechanism  along  the 
hierarchy  of  or-states.  In  UML  Statecharts  [3],  for  example,  inner  transitions  of  an  or-state  have  priority 
over  outer  transitions,  while  this  is  the  other  way  around  in  STATEMATE  [7].  Let  us  provide  a  flexible 
scheme  for  encoding  both  priority  concepts,  for  which  we  introduce  the  notion  of  addresses  which  are  built 
according  to  the  BNF  a  ::=  •  |  ▼  •  a  |  ||;  •  a ,  for  l  £  N.  The  set  of  all  such  addresses  is  denoted 

by  Mddr.  Each  action  transition  is  then  labeled  with  an  address  pointing  to  the  sub-term  of  the  considered 
Statecharts  term,  from  which  the  transition  originates  (cf.  the  subscripts  of  the  transitions  in  Table  3.2). 
Intuitively,  the  symbol  •  encodes  that  the  transition  originates  from  the  considered  state,  i.e.,  this  state 
must  be  an  or-state  and  the  transition  leaves  the  or-state’s  active  sub-state.  Address  T  •  a  also  requires  the 
state  to  be  an  or-state  and  the  transition  to  originate  from  address  a  of  the  currently  active  sub-state  of  the 
or-state.  Finally,  address  ||{  ■  a  indicates  that  the  considered  state  is  an  and-state  with  at  least  l  sub-states 
and  that  the  transition  originates  from  address  a  of  the  1-th  sub-state. 

Table  4.2 

Priority  Structure  a  la  UML  (left)  and  a  la  STATEMATE  (right) 

Ml(.)  =df  {▼  •  (3 1 0  £  Addr}  Ml(7)  ^70 

MI(T-a)  =df  {Y-/3|/3e  Ml(a)}  MI(T  •  a)  =df  {•}  U  {T  •  (3  \  (3  €  Ml(a)} 

MIQ|i  •  op  — df  {||i  •  /3  |  /3  €  Ml(a)}  Ml(||, -a)  =df  (||,  •  (3  \  (3  £  Ml(a)} 


Given  an  address  a  £  .Addr,  we  can  now  define  the  set  Ml  (a)  of  addresses  which  are  considered  more 
important  than  a  according  to  the  chosen  priority  concept.  The  definitions  of  Ml  (a)  for  the  priority  concepts 
of  UML  Statecharts  and  STATEMATE  can  be  done  straightforwardly  along  the  structure  of  a  and  are  given 
in  Table  4.2.  They  do  not  require  any  extra  explanation.  Now,  we  can  define  a  new  transition  relation  — » 
for  action  transitions,  which  coincides  with  the  original  transition  relation  given  in  Sec.  3,  except  that 
low-priority  action  transitions  are  filtered  out. 

e  , 

s  — s  o 

Prio  — f -  fl/3  £  Ml(a).  s  — tp 

s  — »o  s'  <t> 

N 

This  rule  states  that  an  action  transition  located  at  address  a  may  be  executed  if  there  exists  no  action 
transition  at  some  more  important  address  /3,  which  cannot  be  prevented  in  any  system  environment.  The 
justification  for  the  fact  that  only  action  transitions  with  empty  sets  as  labels  have  pre-emptive  power  over 
lower  prioritized  action  transition  is  similar  to  the  one  regarding  the  pre-emption  of  clock  transitions  in 
Sec.  3.  One  might  wonder  why  this  “two-level”  definition  of  Statecharts  semantics  is  still  compositional,  as 
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the  above  side  condition  concerns  a  global  property.  In  order  to  see  this,  one  can  distribute  the  side  condition 
among  the  original  rules  for  action  transitions,  such  that  compositionality  becomes  obvious  (cf.  App.  A)  or 
employ  meta-theoretic  results  regarding  SOS  semantics  (cf.  [29]). 


5.  Related  Work.  We  categorize  related  work  along  the  three  dimensions  of  Statecharts  semantics: 
causality,  synchrony,  and  compositionality.  This  classification  has  first  been  considered  by  Huizing  and 
Gerth  [11]  who  demonstrated  that  these  dimensions  cannot  be  trivially  combined. 

The  original  Statecharts  semantics,  as  presented  by  Harel  et  al.  [8],  obeys  causality  and  synchrony. 
However,  it  ignores  compositionality  and  the  concept  of  global  consistency.  Later  on,  Huizing  et  al.  [12] 
provided  a  compositional  denotational  semantics  for  this  variant,  while  Pnueli  and  Shalev  [23]  suggested  the 
introduction  of  global  consistency  for  improving  the  practicality  of  the  variant.  However,  Pnueli  and  Shalev’s 
formalization  is  again  not  compositional. 

Other  researchers  have  developed  languages  whose  semantics  obey  the  synchrony  hypothesis  and  compo¬ 
sitionality  but  violate  causality.  Prominent  representatives  of  such  languages  include  Berry’s  ESTEREL  [2], 
to  which  recently  some  dialect  of  Statecharts  has  been  interfaced  as  graphical  front-end  [26],  and  Maraninchi’s 
ARGOS  [17].  Both  languages  are  deterministic  and  treat  causality  rather  conservatively  in  a  pre-processing 
step,  before  determining  the  semantics  of  the  considered  program  as  Mealy  automaton  via  structural  oper¬ 
ational  rules  [18].  Moreover,  ARGOS  semantics  significantly  differs  from  Statecharts  semantics  by  allowing 
sequential  components  to  fire  more  than  once  within  a  macro  step.  Another  approach  to  formalizing  Stat¬ 
echarts,  which  fits  into  this  category,  is  the  one  of  Scholz  [24]  who  uses  streams  as  semantic  domain  for 
defining  a  non-causal  fixed  point  semantics. 

The  popular  synchronous  version  of  STATEMATE  [7]  neglects  the  synchrony  hypothesis.  Events  gen¬ 
erated  in  one  step  may  not  be  consumed  within  the  same  step  but  in  the  next  step  only.  The  operational 
semantics  of  this  dialect  has  been  compositionally  formalized  by  Damm  et  al.  [5].  It  was  also  considered  by 
Mikk  et  al.  [19]  who  translated  STATEMATE  specifications  to  specification  languages  of  model-checking 
tools  by  using  hierarchical  automata  [20]  as  intermediate  language.  This  intermediate  language  was  em¬ 
ployed  by  Latella  et  al.  [13],  too,  for  formalizing  the  semantics  of  UML  Statecharts  [3]  in  terms  of  Kripke 
structures.  However,  UML  Statecharts  discard  not  only  the  synchrony  hypothesis  but  additionally  negated 
events  and,  thereby,  make  the  notion  of  global  consistency  obsolete.  Their  semantics  was  also  investigated 
by  Paltor  and  Lilius  [21],  who  developed  a  semantic  framework  on  the  basis  of  a  term-rewriting  system. 

Our  work  is,  however,  most  closely  related  to  approaches  which  aim  at  combining  all  three  dimensions 
—  causality,  synchrony,  and  compositionality  —  within  a  single  formalism.  These  approaches  may  be 
split  into  two  classes.  The  first  class  adapts  a  process-algebraic  approach,  where  Statecharts  languages 
are  embedded  in  process  algebras,  for  which  structured  operational  semantics  based  on  labeled  transition 
systems  are  defined.  Uselton  and  Smolka  [28]  have  pioneered  this  approach  which  has  then  be  refined  by 
Levi  [14].  Their  notion  of  transition  system  involves  complex  labels  of  the  form  { E ,  x),  where  E  is  a  set  of 
events  and  X  is  a  transitive,  irreflexive  order  on  2E  encoding  causality.  The  second  class  is  characterized  by 
following  essentially  the  same  ideas  but  avoiding  the  indirection  of  process  algebra.  Research  by  Uselton  and 
Smolka  [27]  again  employs  the  abovementioned  partial  order,  whereas  Maggiolo-Schettini  et  al.  [16]  require 
even  more  complex  and  intricate  information  about  causal  orderings,  global  consistency,  and  negated  events. 
While  our  present  work  also  fits  into  this  class,  although  it  originated  in  the  former  [15],  it  avoids  complex 
labels  by  representing  causality  via  micro-step  sequences  and  by  adding  explicit  clock  transitions  to  retrieve 
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macro-step  information.  Thereby,  our  semantics  is  not  only  simple  and  concise  but  also  comprehensible  and 
suited  for  interfacing  Statecharts  to  existing  analysis  and  verification  tools.  In  addition,  our  approach  is  very 
flexible  as  we  demonstrated  by  adding  several  prominent  features,  namely  state  references,  history  states, 
and  priority  concepts,  to  our  initially  primitive  Statecharts  dialect. 

Finally,  we  briefly  comment  on  interlevel  transitions  which  prohibit  a  compositional  Statecharts  semantics 
as  they  are  based  on  the  idea  of  “goto-programming.”  First  of  all,  interlevel  transitions  jeopardize  a  strictly 
structural  definition  of  Statecharts  terms,  which  is  a  prerequisite  for  deriving  any  compositional  semantics. 
Hence,  for  modeling  interlevel  transitions,  the  syntax  of  Statecharts  must  be  changed  in  a  way  such  that 
interlevel  transitions  may  be  represented  by  several  intralevel  transitions  which  are  connected  via  dedicated 
ports.  This  can  be  done  either  explicitly,  as  in  the  Communicating  Hierarchical  State  Machine  language 
introduced  by  Alur  et  al.  [1],  or  implicitly  via  a  synchronization  scheme  along  the  hierarchy  of  or-states,  as 
in  Maraninchi’s  ARGOS  [17]. 


6.  Conclusions.  This  paper  presented  a  new  approach  to  formalizing  Statecharts  semantics,  which 
is  centered  around  the  principle  of  compositionality  and  borrows  from  ideas  developed  for  timed  process 
algebras.  In  contrast  to  related  work,  our  approach  combines  all  desired  features  of  Statecharts  semantics, 
namely  causality,  synchrony,  and  compositionality,  within  a  single  formalism,  while  still  being  simple  and 
comprehensible.  Its  foundation  on  structural  operational  rules  guarantees  that  our  semantics  is  easy  to 
implement  in  specification  and  verification  tools  and  that  it  can  be  adapted  to  several  Statecharts  dialects. 
The  proposed  semantic  framework  also  permits  the  integration  of  many  features  desired  in  practice,  as  we 
demonstrated  by  extending  it  to  dealing  with  state  references,  history  states,  and  priority  concepts.  Last,  but 
not  least,  we  hope  that  this  paper  testifies  to  the  utility  of  applying  knowledge  from  the  field  of  Concurrency 
Theory  to  formalizing  practical  specification  languages  rigorously  yet  clearly. 
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Appendix  A.  Revised  Operational  Rules  for  Priority  Concepts.  In  this  appendix,  we  show  that 
our  semantics,  when  incorporating  some  priority  concept  along  the  hierarchy  of  or-states,  does  not  need 
to  be  defined  in  two  levels,  as  is  done  in  Sec.  4.3.  Instead  one  may  modify  the  rules  of  action  transitions 
presented  in  Sec.  3  to  achieve  a  single-level  semantics.  However,  this  can  only  be  done  when  having  a  specific 
priority  concept  —  e.g.,  a  la  UML  Statecharts  [3]  or  a  la  STATEMATE  [9]  —  in  mind  and  is  not  as  elegant 
as  the  approach  presented  in  the  main  part  of  the  paper. 

If  one  is  interested  in  the  priority  concept  of  UML  Statecharts,  one  has  to  replace  Rules  (OR1)  and  (AND) 
by  Rules  (ORP)  and  (AND’)  which  are  displayed  in  Table  A.l  in  order  to  obtain  a  single-level  semantics. 
In  case  of  STATEMATE’s  priority  concept,  one  must  substitute  Rules  (OR2)  and  (AND)  by  Rules  (OR2’) 
and  (AND’).  It  is  easy  to  inspect  that  the  new  sets  of  rules  lead  to  compositional  semantics.  The  more 
complex  side  conditions  in  the  rules  presented  in  Table  A.l,  when  compared  to  the  ones  in  the  original 
rules,  correspond  to  the  “localizations”  of  the  side  condition  of  Rule  (Prio)  introduced  in  Sec.  4.3  and  are 
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Table  A.l 

Revised  operational  rules  for  action  transitions 
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self-explanatory.  The  modified  transition  relations  for  action  transitions  are  equivalent  to  the  transition 
relations  — »  introduced  in  Sec.  4.3,  in  both  the  UML  Statecharts  and  the  STATEMATE  setting. 

Theorem  A.l.  Let  s,s‘  G  fiSC,  E  C  n,  N  C  II U  ->11,  and  a  G  Addr.  Then  s  —+a  s'  if  and  only  if 

N 

E  / 
s  — s  . 

N 

As  a  consequence,  the  operational  semantics  presented  in  Sec.  4.3  is  compositional.  The  proof  of  this  theorem 
bears  no  theoretical  complexity  and  can  be  done  along  the  structure  of  s.  Similar  proofs  and  constructions 
are  standard  in  process-algebraic  frameworks  with  pre-emption  (see,  e.g.,  [4]). 
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